windows nt2000 event log management and intrusion detection

1
windows nt/2000 event log management and
intrusion detection

• cory scott
• securify, inc.
• cscott_at_securify.com

2
topics covered

• Requirements for Event Log Management and IDS
  systems
• Issues with Windows NT/2000 Event Logging
• Commercial tools
• Event Log Architecture
• Batch processing of Event Logs
• A proposed solution
• Using syslog as an Event Log management solution
• Events to look for

3
What are the requirements for an event log
management system?

• The ability to transmit log messages in
  real-time or in batch to other monitoring
  systems
• Analysis should be able to utilize common
  scripting tools with the same ease that has
  existed in the UNIX world for years
• Alerting features should exist that are
  completely customizable to the administrator
• Filtering of extraneous or repetitive log events
  prior to analysis
• Storage of event log message for safekeeping in
  flat files or databases

4
What are the requirements for an IDS?

• Analysis should be combined with a common-sense
  auditing policy that allows for intrusion
  detection by looking for suspicious events
• Accountability (identify and authenticate each
  user and process in the system)
• Real-time detection and response
• Subgoals forensic evidence, system analysis,
  system performance, problem identification
• These goals are often in conflict

5
types of responses

• Active- Take action against intruder- Amend the
  environment- Collect more information
• Passive- Log, alert, and/or alarm
• (ala Bace, pg. 125-129)

6
windows nt event logging
Distributed nature of logs with no built-in way
to centralize Inaccessible, cryptic, and
superfluous entries No real-time reaction
ability Not a lot of good information out there
on what events to look for hard to map user to
action
7
commercial tools

• Some only measure uptime and provide limited
  information
• Most attempt to apply a one-size-fits-all
  approach to suspicious events
• Most are non-heterogeneous
• Many have a lot of bloat and lack of flexibility
• Most are overkill
• On the flip side, they are getting better and
  there is a direct line of support with a
  commercial tool.

8
event log architecture

• Architecture Overview
• The three types of event logs what goes where
• - Application
• - Security
• - System
• Also in Win2k - Active Directory, File
  Replication, DNS

9
event log message internals

• Timestamp
• Severity
• IDs Sources
• Description
• Event Data

10
Batch processing of Event LogsTask Scheduling
Review

• Scheduling tasksThe AT command and the Task
  Scheduler
• at 1200 /everySu,M,T,W,Th,F,S runme.bat
• Or repeating in smaller increments
• Script called runme5.bat contains
• SOON 300 C\RUNME5.BATC\RUNME.BAT

11
task scheduler
12
batch processing of event logsexporting and
dumping

• Binary file backup
• - Within the Event Viewer
• - NTOLog
• Viewing the binary logs
• - Manual Event Viewer
• - Batch DumpEl with b switch
• Extracting event logs into text files
• - DumpEl

13
batch processing of event logsexporting and
dumping examples

• NTOLog www.ntobjectives.com
• ntolog \\SERVER /b /c /sec /f secbackup.evt
• DumpEl Windows NT/2000 Resource Kit
• dumpel -f secevts.txt -l Security -d 1
• (live log)
• dumpel -f secevts.txt b -l secbackup.evt -d 1
• (backup log)

14
dealing with windows nt the event log service

• Increase the size of the event logs
• - Disk is cheap!
• Think about retention policy
• - Overwrite as needed
• - Overwrite entries that are x days old
• - Do not overwrite

15
suggested audit policy

• Depends on environment however, there are some
  settings that are commonplace
• Logon and Logoff (Failure)
• User and Group Management (Success and Failure)
• Security Policy Changes (Success and Failure)
• File and Object Access (Failure)
• Restart, Shutdown, and System (Success and
  Failure)

16
event log registry entries

• CrashonAuditFail
• HKLM\System\CurrentControlSet\Control\Lsa
• CrashOnAuditFail1
• Only impacts on the Security log
• Secure logs against remote access
• HKLM\System\CurrentControlSet\Services\
• EventLog\LogName
• RestrictGuestAccess1

17
one solution

• Centralized logging of multiple hosts (including
  NT, UNIX, applications) using the syslog protocol
• While this is nothing spectacularly new to the
  UNIX realm (although there arent a good number
  of strong deployments), this is gaining
  popularity in the NT realm.
• Why intermingle logs of different NT and UNIX and
  firewall and router systems?Correlation, depth
  of coverage (might miss it on one, but not the
  other), synchronization, ease of administration

18
transmitting event log messages

• Syslog client for Windows NT EventReporter (was
  EvntSlog)
• Forwarding event log messages realtime via syslog
• Available at www.eventreporter.com
• Approximately 25 a server

19
breakdown of a syslog message

• Local and remote capability 514/udp
• Facility
• Auth, Auth-Priv, Cron, Daemon, Kern, LPR, mail,
  mark, news, syslog, user, uucp, local0-local7
• Priority
• Emergency, Alert, Critical, Error, Warning,
  Notice, Info, Debug

20
building a secure logging server

• Common security practices
• - Physical, network, host based security
• - Read-once ability
• - Sync time sources

21
building a secure logging server

• Important tools to use
• Syslog-ng
• A good replacement for syslogd www.balabit.hu
• Swatch
• A flat file monitoring utility
  www.stanford.edu/atkins/swatch
• Sendpage
• Pager gateway - sendpage.cpoint.net
• Perl

22
syslog client and server communication

• Configuring EventReporter
• - Define a syslog server
• - Define which logs are sent and at what
  facility
• Configuring syslog-ng
• - Define sources (local / remote)
• - Define filters (facility, priority,
  program, host, grep)
• - Define destinations (file, pipe, stream,
  tty, program, syslog)
• - Define logs (combinations of sources,
  filters, destinations)

23
best practices for logging / watching the logfiles

• Suggested configurations and audit policy for
  system logs
• How to log your own events from Windows NT and
  2000 Logevent, a Reskit utility
• logevent "Danger - core temperature critical!"
• Swatch configuration
• swatch -c HOME/.swatchrc -t /var/log/critical
  
• In .swatchrc
• watchfor /User account lockout/
  mailadmin_at_acme.com,subjectLockout

24
events to look for

• Logon/Logoff
• Account Policy Violations
• System Events
• User and group events
• Policy Changes
• New events to Windows 2000

25
events to look for

• Logon/Logoff
• Unknown Username or Bad Password
• Security Event 529 - Failure Audit
• Unsuccessful Logon
• Security Event 537 Failure Audit
• Make sure you are monitoring each workstation for
  these events.

26
events to look for

• Logon Types
• 2 Interactive
• 3 Network
• 4 Batch
• 5 Service
• 6 Proxy

27
events to look for

• Violations of Account Policies Failure Audits
• Account Logon Time Restriction Violation
• Security Event 530
• Account Currently Disabled - Security Event 531
• Account Has Expired - Security Event 532
• User Not Allowed to Log on - Security Event 533
• Logon Type Restricted - Security Event 534
• Password Expired - Security Event 535

28
events to look for

• System Events
• System Restart - System Event ID 512
• Some Audit Event Records Discarded - System Event
  ID 516
• Audit Log Cleared - System Event 517

29
events to look for

• User and Group Management
• User Account Created / User Account Deleted -
  Security Event 624 / 630
• Change Password Attempt - Security Event 627
• Local Group Member Added / Global Group Member
  Added - Security Event 636 / 632
• User Account Changed - Security Event 642
• Domain Policy Changed - Security Event 643

30
events to look for

• Policy Change
• User Right Assigned / Removed - Security Event
  608/609
• Audit Policy Change - Security Event 612
• New Trusted Domain / Removing Trusted Domain -
  Security Event 610/611

31
events to look for

• New to Windows 2000
• Encrypted Data Recovery Policy Changed
• Security Event ID 617
• IPSec policy agent changed
• Security Event ID 615
• IPSec policy agent disabled
• Security Event ID 614
• IPSec policy agent encountered a potentially
  serious failure
• Security Event ID 616

32
summing it up

• Managing Event Logs can be a difficult process,
  but the rewards of a well-tuned logging system
  are worth it!
• Check out my article on this topic at
  securityfocus.com in the Microsoft Focus area

33
end of presentation

• Please remember to fill out the speaker
  evaluation forms.
• Updated slides available at
• http//packetstorm.securify.com/papers/
• NT/cscottSANS.ppt